FCA and PRA jointly fine Raphaels Bank £1.89 million for outsourcing failures

The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have jointly fined R. Raphael & Sons plc – the retail bank providing banking and related financial services – for failing to manage its outsourcing arrangements properly between April 2014 and December 2016. 

Raphaels has received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of these breaches (resulting in a combined fine of £1,887,252).

Raphaels’ Payment Services Division (PSD) operates prepaid card and charge card programmes both here in the UK and in Europe. The PSD relies on outsourced service providers to perform certain functions that are critical to the operation of its card programmes. These functions include the authorisation and processing of card transactions, a service performed by third party card processors.

Raphaels failed to have adequate processes in place to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers, and particularly in terms of how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm. These risks crystallised on 24 December 2015 when a technology incident occurred at a card processor.

The incident lasted over eight hours and caused the complete failure of the authorisation and processing services that the card processor provided to Raphaels. During this period, no less than 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at Point of Sale terminals, ATM machines and online.

Seasonal workers, who depended on their cards to receive their wages, used the largest prepaid card programme affected by the incident. The timing of the incident, on Christmas Eve, is likely to have exacerbated the impact of the outage still further.

Oversight and governance

Mark Steward, the FCA’s executive director of enforcement and market oversight, said: “Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls. Firms are accountable for failures by outsourcing providers.”

Sam Woods, deputy governor for Prudential Regulation and CEO of the PRA, added: “Firms’ ability to manage the outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model. In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case leading to an uplift in the penalty.”

Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level downwards. The joint FCA and PRA investigation identified weaknesses throughout the firm’s outsourcing systems and controls which Raphaels ought to have known about since April 2014. These included a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and ongoing due diligence of outsourced service providers.

Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016, by which time the organisation had designed new outsourcing policies and procedures to remedy the failings.

Raphaels agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been £2,709,574.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts